What causes AADSTS50120?

Service principal authenticating with a client assertion JWT that has an unsupported `alg` (e.g. HS256 instead of RS256) or missing `typ: JWT` in the header. Certificate-based auth where the `x5t` (thumbprint) header value doesn't match any certificate uploaded to the Entra ID app registration. Expired or rotated certificate on the app registration while the client still signs assertions with the old private key. Custom auth library (e.g. older MSAL versions, hand-rolled JWT signing in Power BI gateway / ADF linked services) generating a malformed JWT header. Federated identity credential (workload identity) misconfigured — wrong issuer, subject, or audience in the federation trust

How do I fix AADSTS50120?

Decode the failing JWT client assertion (jwt.ms) and inspect the header — confirm `alg` is `RS256`, `typ` is `JWT`, and `x5t` matches a certificate currently uploaded to the Entra app registration. In the Entra ID portal → App registrations → your app → Certificates & secrets, verify the certificate thumbprint is present and not expired; re-upload the public key (.cer) if rotated. If using MSAL or Azure.Identity, upgrade to the latest SDK version and let it build the assertion — avoid hand-signed JWTs in Power BI gateway connectors and ADF linked services. For federated workload identity (GitHub Actions, AKS, etc.), re-check the federated credential's issuer/subject/audience match the token your workload sends. If the failing principal is a Power BI service principal used by an embedded app or scheduled refresh, regenerate its certificate, update the secret in your tenant's Key Vault, and restart the gateway / refresh the dataset credentials

Low severityauthentication

Power BI Error:
AADSTS50120

What does this error mean?

Microsoft Entra ID (Azure AD) rejected the sign-in because the JWT header presented an unsupported or malformed credential type.

Common causes

1Service principal authenticating with a client assertion JWT that has an unsupported `alg` (e.g. HS256 instead of RS256) or missing `typ: JWT` in the header
2Certificate-based auth where the `x5t` (thumbprint) header value doesn't match any certificate uploaded to the Entra ID app registration
3Expired or rotated certificate on the app registration while the client still signs assertions with the old private key
4Custom auth library (e.g. older MSAL versions, hand-rolled JWT signing in Power BI gateway / ADF linked services) generating a malformed JWT header
5Federated identity credential (workload identity) misconfigured — wrong issuer, subject, or audience in the federation trust

How to fix it

1Decode the failing JWT client assertion (jwt.ms) and inspect the header — confirm `alg` is `RS256`, `typ` is `JWT`, and `x5t` matches a certificate currently uploaded to the Entra app registration
2In the Entra ID portal → App registrations → your app → Certificates & secrets, verify the certificate thumbprint is present and not expired; re-upload the public key (.cer) if rotated
3If using MSAL or Azure.Identity, upgrade to the latest SDK version and let it build the assertion — avoid hand-signed JWTs in Power BI gateway connectors and ADF linked services
4For federated workload identity (GitHub Actions, AKS, etc.), re-check the federated credential's issuer/subject/audience match the token your workload sends
5If the failing principal is a Power BI service principal used by an embedded app or scheduled refresh, regenerate its certificate, update the secret in your tenant's Key Vault, and restart the gateway / refresh the dataset credentials

Frequently asked questions

What does AADSTS50120 mean?

Unknown credential type, issue with the JWT header. Contact the tenant admin.

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes